Gmail 支援第三方軟體掛入了...

以往都是第三方廠商要透過 browser extension 硬掛進去 (當 Gmail 改版的時候又要修),現在 Gmail 直接提供界面讓他們掛進來了:「Do more from your inbox with Gmail Add-ons」。

包括 Gmail 以及 G Suite 都能用 (應該會需要管理員掛進來?):

Knock out action items the minute they hit your inbox. G Suite and Gmail users can check out the G Suite Marketplace to find and install Gmail Add-ons.

另外也可以自己開發掛入:

If you're a developer, you can also easily create add-ons for your app or your organization—write your add-on code once and it will run natively in Gmail on web and Android right away. Learn more.

DHS 要求郵件系統都必須使用 STARTTLS、DMARC,並且全面禁用 RC4 與 3DES

Twitter 上看到 18F 貼了 DHS 的新規定:「Enhance Email and Web Security」。

郵件系統的部份,要求要有 STARTTLS,並且設定 SPFDMARC。另外禁用 SSLv2 SSLv3,以及 RC43DES

網站的部份,則是要求 HTTPS 以及 HSTS。另外也與郵件系統一樣禁用 SSLv2、SSLv3,以及 RC4 與 3DES。

不只 18F 一個單位在推動,這樣整體的速度才會加快...

Amazon 的 SES 推出 Dedicated IP Pool

Amazon SES 推出了 Dedicated IP Pool:「New – SES Dedicated IP Pools」,也就是發信時可以使用自己專屬的 IP address。

Today we released Dedicated IP Pools for Amazon Simple Email Service (SES). With dedicated IP pools, you can specify which dedicated IP addresses to use for sending different types of email.

價錢其實不算貴?每個 IP 的費用是 USD$24.95/month,對於量夠大的單位可以避免被其他人影響:

Dedicated IPs are $24.95 per address per month at the time of this writing – but you can find out more at the pricing page.

不過 SES 用起來最痛的問題還是在對於收信人不存在時的 bounce rate...

Amazon SES 增加開信率與點擊率的功能

Amazon SES 的產品定位不是 transaction mail 嗎?這個功能沒看懂想做什麼 XD:「Amazon SES Introduces Open and Click Metrics for Tracking Customer Engagement」。

Amazon Simple Email Service (Amazon SES) now includes the ability to track open and click events, as well as the ability to publish email sending events to Amazon Simple Notification Service (Amazon SNS).

另外就是... 我記得類似的功能其他家做得更好更成熟 XD

又是 ImageMagick 出包...

ImageMagick 的 information leaking,然後 Yahoo! 很無奈的中獎,所以被稱為 Yahoobleed:「Yahoo! retires! bleeding! ImageMagick! to! kill! 0-day! vulnerability!」。發現問題的作者把問題寫在「*bleed continues: 18 byte file, $14k bounty, for leaking private Yahoo! Mail images」這邊。

作者利用 ImageMagick 的不當處理,取得 uninitialized memory 的資訊,藉以取得可能是上次轉檔的記憶體內容。而這個 jpeg 只有 18bytes (所以作者戲稱每個 byte 價值 USD$778):

A robust bounty of $14,000 was issued (for this combined with a similar issue, to be documented separately). $778 per byte -- lol!

目前的 workaround 也很簡單 (官方採用了),呼叫 ResetMagickMemory 避免 leaking (咦,這方法好像哪邊怪怪的):「Reset memory for RLE decoder (patch provided by scarybeasts)」。

Amazon SES 提供 Dedicated IP Address 的養 IP 機制...

透過混搭本來的 shared IP address (已經對各 ISP 有信用) 與客戶租用的 dedicated IP address 混發,然後一段時間後養起來 (最多 45 days):「Amazon SES Can Now Automatically Warm Up Your Dedicated IP Addresses」。

Amazon SES controls the amount of email that can be sent through an IP address. Amazon SES uses a predefined warm-up plan that indicates the maximum number of emails that can be sent daily through an IP address to ensure the traffic is increasing gradually over 45 days.

要注意的是,這個過程需要發五萬封才有辦法養出來,不是設上去就會自己養

After you successfully warm up your dedicated IPs (either by yourself or by using the Amazon SES automatic warm-up mechanism), you must send at least 50,000 emails per dedicated IP per day so that the IPs maintain a positive reputation with ISPs. To avoid throttling by the ISPs, avoid sending a high volume of emails soon after the completion of warm-up; we recommend gradually increasing the volume for better deliverability.

現在弄 mail service 超麻煩的...

Amazon EC2 會對 Port 25 的連線數量限制

起因於一台 ap-northeast-1 的機器 (東京) 會使用 us-west-2 的 SES (美西,奧勒岡),然後發現信延遲的有點嚴重,看 mail log 發現是因為連線 timeout。

查了以後發現在「Amazon SES SMTP Issues」這邊就有提到 EC2 instance 對 port 25 有限制:

You are sending to Amazon SES from an Amazon EC2 instance via port 25 and you cannot reach your Amazon SES sending limits or you are receiving time outs—Amazon EC2 imposes default sending limits on email sent via port 25 and throttles outbound connections if you attempt to exceed those limits. To remove these limits, submit an Amazon EC2 Request to Remove Email Sending Limitations. You can also connect to Amazon SES via port 465 or port 587, neither of which is throttled.

按照建議,直接走 port 587 就可以解決,另外一個方法是開 support ticket 請 AWS 解除:「How do I remove the throttle on port 25 from my EC2 instance?」。

Amazon EC2 throttles traffic on port 25 of all EC2 instances by default, but you can request that this throttle be removed for your instance at Request to Remove Email Sending Limitations (you must sign in with your root account credentials). Provide a description of your use case for sending email, and then choose Submit.

還是改走 port 587 比較簡單一點...

Gmail 要開始導入 SMTP Strict Transport Security 了

SMTP MTA Strict Transport Security 算是 SMTP STARTTLS 裡的 HSTS 機制,而 Google 的人在 RSA Conference 上提出要開始用了:「SMTP STS Coming Soon to Gmail, Other Webmail Providers」。

Elie Bursztein, the head of Google’s anti-abuse research team, said at RSA Conference that SMTP STS will be a major impediment to man-in-the-middle attacks that rely on rogue certificates that are likely forged, stolen or otherwise untrusted. Google, Microsoft, Yahoo and Comcast are expected to adopt the standard this year, a draft of which was submitted to the IETF in March 2016.

補上去後對於 SMTP 的隱私保護就會更好了...

Amazon SES 的固定 IP 服務

怎麼這麼多消息啊... 這次是 Amazon SES 宣佈提供固定 IP 服務:「Amazon SES Now Offers Dedicated IP Addresses」。

這樣可以減少被其他人影響到 reputation,提昇穩定度:

Amazon Simple Email Service (Amazon SES) now offers dedicated IP addresses, which enable you to manage the reputation of the IP addresses that Amazon SES uses to send your email.

而要用這個功能的人要額外申請:

To request dedicated IPs, open an SES Sending Limits Increase Case in Support Center. In the use case details, specify that you are requesting dedicated IPs.

Yandex.Mail 從 Oracle 搬移到 PostgreSQL 上的故事

Hacker News Daily 上看到 Yandex.MailOracle 搬到 PostgreSQL 的故事:「Yandex.Mail success story」。

首先是在 Oracle-based 的系統上遇到的問題:

除了技術類的問題外,這個「Not very responsive support」可以看到對 Oracle 的服務很不滿意。

另外下一張投影片只講 shop.oracle.com 是主要原因... 我猜是 Oracle 在開始提供 cloud service 後把售價都拉高。在最後的 Summary 看起來也有點像:

雖然沒有講明換 PostgreSQL 的理由,但注意到「3x more hardware」這點,這表示是原來的四倍。在這樣的情況下還是要換,可以猜測 Oracle 的授權費用在 web-scale 服務上的問題。

另外如果仔細品投影片,可以發現其實 migration 成功的原因是 DBA team 的能力夠強大,以及充足的時間修正問題 (可以看到作者在 mailing list 上一直提問也一直修正問題)。如果當初評估後決定要換到 MySQL,我相信也是會順利完成...